Password Breach Check
Check whether a password has appeared in a known data breach, using the Have I Been Pwned database of over 800 million compromised passwords.
Your password never leaves this page. It is hashed with SHA-1 in your browser and only the first 5 characters of that hash are sent to the breach database (k-anonymity). We never see, store, or transmit the password itself.
How it works
This tool uses the Have I Been Pwned Pwned Passwords range API with the k-anonymity model. Your password is hashed with SHA-1 locally, and only the first 5 characters of the hash are sent to the API. The API returns every hash suffix that shares that prefix, and the match is checked in your browser. The service never learns your password or the full hash.
Why breached passwords are dangerous
Attackers run credential-stuffing attacks using lists of passwords exposed in past breaches. If a password appears in any breach, it is effectively public and will be tried against your accounts. The fix is a unique password per account (a password manager makes this practical) plus multi-factor authentication.